BruCON 0x0D

Hacktivism during a global pandemic.

Like a lot of things, “Hacktivism” has grown up over the last 30 years. When we started, we were a bunch of annoying rebellious kids attacking websites. Today we are everywhere, and do everything, from helping write national policy to defending hospitals from cybercriminals during a global pandemic to protecting NGOs in war zones. That’s quite a leap. How on earth did we get here?

Why is this important? What can a bunch of idealistic nerds do in the face of a global dumpster fire?

Let me tell you some stories. Hopefully afterwards some of you will come and join us on the dark side. We have cookies.

“Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate“ (https://github.com/NationalSecurityAgency/ghidra). It provides a great free and capable alternative to IDA Pro and Binary Ninja for manual static binary analysis. A lesser-known fact is, that Ghidra also provides a great API and an even better SDK for writing Ghidra scripts. The API can be used to quickly script tasks in your reversing work, however, the SDK allows access to everything that is under the hood. This allows you to write scripts that can do anything that is possible with Ghidra. And with that you are not limited anymore to simple scripts, you can write full automated binary analysis tools that use Ghidra in headless mode.

Another lesser-known feature of Ghidra is its intermediate language called P-Code. P-Code lies between the assembly code and the decompiled code that the Ghidra UI shows. It is a register transfer language, it translates every individual processor instruction to a sequence of P-Code operations that describes the processor instruction, including all side effects, such as setting a flag.

In this talk, we are going to focus on the combination of these two features and start building binary analysis tools using Ghidra P-Code. This setup has some significant benefits. Just to mention one, if you are only working with P-Code and never look at the assembly, then your script will be architecture-independent and will support all architecture that is supported by the Ghidra decompiler. Another significant benefit is that Ghidra is free and open source. That allows you to deploy your tool more freely without worrying about licensing issues and gives you the possibility to dig deep in Ghidra’s source code to understand how different classes work.

We will first familiarize ourselves with P-Code. Understand how it works and how it looks like when we are accessing it through the SDK. Then start building simple scripts to see P-Code used in automation. With these, we will work our way up to a more complex scenario.

Independently from what your favorite disassembler is, it is worth looking at Ghidra because it holds some interesting features that can help you in your next binary analysis project.

Since the inception of the eCos RTOS in 1998, almost no dedicated research into its inner workings from an offensive security perspective got published. The only notable exception being the Cable Haunt research by Lyrebird which started to cover binary exploitation, but only scratched the surface. From cable modems to ICS components, millions of devices are currently running on eCos, but it seems that no one ever looked into them.

To fill this void, we launched ecos.wtf in March 2021. The project aims at documenting everything related to eCos platform security research in a single place. We published posts detailing Broadcom's eCos internals (interrupts and exception handling, memory layout, heap management), eCos firmware analysis, exploitation of memory corruption vulnerabilites, and building eCos firmware implants. These posts were the product of dedicated security research into eCos based cable modems deployed by belgian ISPs such as VOO and Orange Belgium.

During this presentation, we will demonstrate how to pull eCos firmwares, analyze them, write exploits, and gain long-term persistence on devices. By doing so, we hope to provide the required methodology, tools, and techniques to security professionals who wants to get involved in the wonderful world of eCos security.

For red teamers and real threat actors, operational security is a key  skill to achieve the goals of an operation. While evading security products and fooling analysts has been a trivial task for years, it has become more difficult to stay under the radar of the blue team. Exhaustive logging, automated triaging of suspicious processes and scanning for malicious memory artefacts are powerful techniques allowing defenders to easily spot attackers. Therefore, adapting, customizing and implementing new offensive tools is an important task for attackers to be ahead of the defenders.

This talk outlines our approaches to build customized tools and hiding them from analysts and security products on the endpoint. It will be explained how popular PE loading techniques, such as Reflective DLLs or Donut/sRDI can be spotted by artefacts they leave in memory and how position independent code (PIC) can be leveraged to avoid these artefacts. Nevertheless utilizing these techniques allows rapidly building and deploying payloads. It will be demonstrated how we build and protect our payloads with an automated build server supporting multiple file formats and environmental crypting.

Information will be shared on how defenders use exhaustive logging and correlation of windows events to identify malicious processes and how we use concepts such as handle duplication and custom PE loaders to avoid certain Sysmon events.

Quickly detecting malicious intruders in the network is a million-billion-dollar business. Unfortunately, after decades of this problem, detecting bad actors still relies on updated versions of technologically old techniques: anti-virus, log files and packet captures.

Network EDR is only effective inside the perimeter of the organization and suffers from scaling problems due to the massive amounts of network traffic generated by modern applications. Endpoint detection is limited by event verbosity, OS version and platform age. Anti-virus loses to obfuscation frameworks every day.

All of these techniques rely on software running on the endpoints, which advanced actors frequently disable to hide their activities from the administrators. Even worse, these endpoint clients are also reliant on signatures and heuristics designed by the vendor, meaning detection frequently lags behind the speed by which actors can change their tactics or obfuscate their tools.

These limitations are compounded across different OS vendors, versions and server/client platforms. And none of them can detect a supply-chain attack, or an attack against a partner whose security isn’t as robust.

In this talk I’ll describe a groundbreaking new method of leveraging network IOCs beyond how they are leveraged by existing XDR platforms. This breakthrough method provides near-real-time alerting, zero endpoint client software, with identical fidelity across all OS versions and vendors. By sitting outside the organizations perimeter, focused on what the attacker sees, and leveraging relationships with internet infrastructure providers, this technique can detect the moment a beacon is sent, malware families and spread rate. This data can observe activity from both your network and your partners, since it isn’t dependent on client software. I’ll demonstrate how this technology can augment existing EDR solutions, addressing an industry-wide gap and giving organizations extra days (or weeks) to prevent a Data Apocalypse.

I'll draw from real-world examples of how this technology was leveraged in CTI League in 2020 to provide hospitals with an 'early alert system', giving them more time to evict bad actors before a ransomware payload was deployed.

In this session we focus on CI/CD pipelines deployed via AWS managed services, such as CodeBuild, CodeDeploy and CodePipeline. And we demonstrate how small decisions can have a significant impact on the security of the CI/CD pipeline, even to the point where the trustworthiness of the pipeline is broken (a poisoned pipeline).

CodeBuild’s functionality can be abused to allow developers to bypass existing security controls implemented as part of the SDLC environment, such as peer code review, code approval processes, segregation of duties and secrets management. This can introduce a, perhaps, unforeseen vector for exfiltrating application secrets, tampering with the application and, potentially, taking full control of the deployment servers by executing commands using elevated privileges.

Due to the shared responsibility model, this is mostly an AWS customers’ challenge. Moreover, customers will be open to the risk even when following AWS samples, tutorials, and, even managed services that help simplify and automate the setup of CI/CD pipelines in the cloud environment, such as CodeStar.

In this session we want to explain and warn DevSecOps and Cloud communities about this pipeline poisoning risk in particular, so that it can be taken into account for securing CI/CD pipelines in the cloud. And, in general, showcase the new challenges and considerations that cloud solutions bring to those adopting the cloud.

On the 20th of May the Belgian Prime Minister presented the new cyber strategy to the national security council, which approved it. Its objective is to make Belgium one of the least cybervulnerable countries in Europe.

You want to know what we are preparing for the next four years?
What are the main lines of this new strategy?
How, together with all the actors concerned, do we plan to protect companies, operators of essential services, citizens, administrations and critical infrastructures?

Phédra Clouner will present the Belgian strategic approach . She’ll explain also how European initiatives has and will have influence on our approach.

Supply chain attacks appear to be among the most concerning threat vectors for many organizations - yet most descriptions of such threats appear to either ignore or be ignorant of the steps required to actualize an implant for offensive purposes. First, this talk will work to disambiguate two distinct attack types often lumped together: software/hardware supply chain attacks via modification, and trusted third-party/vendor/contractor compromise to facilitate access to supported organizations. This distinction is very important, and looking at these two event types as event equivalents is deeply confusing.

After setting the groundwork for discussion, physical or software supply chain attack (e.g., modification of device hardware, firmware, "adding a rice-sized chip" to a motherboard, or altering source code) functionality and execution will be analyzed in detail: how these attacks work in practice, and what actions and accesses are required to make these attacks useful. Based on this exploration, defenders will gain insight into the true scope and meaning of such attacks, specifically: how such attacks are overhyped; why such attacks are extremely difficult to execute; and how multiple defensive measures exist to detect or mitigate against such attacks. From this analysis, defenders and information security stakeholders will learn how to precisely orient the risk of supply chain compromise events, and exorcise the persistent threat of a “ghost in the machine”.

Finding malware is not difficult. Multiple platforms offer security analysts access to malicious files of all colours and flavours. However, as the amount of data grows we may be missing unique types of malware hidden in plain sight. White whale samples that have only been observed a couple times and were developed to generate damage to the physical world by targeting operational technologies.  

Although we have only observed operational technology (OT) malware – e.g. TRITON or Industroyer– a couple times in the wild, it is possible that there are currently similar samples being developed and tested. We do not want to see this type of malware ever deployed in the real world as it is designed to target the physical integrity of infrastructure, people, and industrial processes.

However, identifying OT malware is not simple. Common methods used to detect malicious behaviours (e.g. sandboxes) are currently not able to understand and analyse OT binaries. For example, legitimate scripts developed by original equipment manufacturers (OEMs) or by operators to fulfil precise process objectives often cannot be read by automated malware analysis solutions, or are flagged as malicious when unable to run. Therefore, finding and filtering OT software samples worth analysing is already a challenge.

In this talk we will describe the unique challenges we have faced while filtering binaries from OT products and vendors. We will then walk through simple methods that do not require advanced reverse engineering skills – e.g. static strings, strings in memory, analysis of functions, or import hashing –to set up a partial benchmark for sorting OT binaries. For that, we will use several Modbus samples to illustrate our success and failures filtering these samples during the initial analysis steps. We hope our stories encourage entry and intermediate level analysts to take their first steps towards recognizing and identifying interesting OT samples.

Mobile malware has been around since the first versions of Android and iOS, ranging from premium-text scams to ransomwares to banking trojans. Until recently, banking trojans stayed clear of Belgian financial apps, but with the rise of TeaBot, this has finally changed. In this presentation I will give you a crash course on Android malware, explain how banking trojans work and what we can do to stop them.

How can red team operators emulate covert operations and operate at the same level as a real threat group? EDR solutions can make the life of a red team operator significantly harder. Dynamic invocation  (also known as  D/Invoke) – a  sub-branch of the popular “Sharpsploit” project, can help with evading those pesky EDR’s and execute your payloads successfully. In this presentation, we will go over D/Invokes capabilities and how to leverage them in your red team operations.